[CentOS] resolving names it is really slow slow with CentOS5.x using named

Mon May 25 17:23:46 UTC 2009
Les Mikesell <lesmikesell at gmail.com>

carlopmart wrote:
> Les Mikesell wrote:
>> carlopmart wrote:
>>>>>>>> Thanks lars. Correctly, firewall could be the problem, but it isn't. Because 
>>>>>>> Ubuntu and Windows 2003/2008 doesn't have problems with it ... and resolves 
>>>>>>> perfectly ... And I don't have configured this firewall to accept dns queries 
>>>>>>> originating from source port 53 ...
>>>>>>>
>>>>>> What does 'dig' show about your access to the root servers without 
>>>>>> forwarders and with and without forcing the query-source port?  Compare 
>>>>>> it to the Ubuntu system.  Maybe there's something wrong with the root 
>>>>>> hints file - or maybe your border firewall is blocking all udp to this 
>>>>>> box but permitting it to the DNS servers that work.
>>>>>>
>>>>> Thanks Les, but I have checked it before post this problem. Ubuntu and CentOS 
>>>>> have the same file to do querys to root servers ...
>>>> And the results of 'dig' on each?
>>>>
>>>>> I have find a temporary solution: reduce the MTU on CentOS server (1440) ...I 
>>>>> need to investigate why centOS loses some packages and ubuntu doesn't ....
>>>> Are you routing through tunnels?
>>>>
>>>>
>>> No, all hosts (firewall and CentOS DNS server) are connected to GByte network.
>> That's not where the problem is. Since you are working with forwarding 
>> on, the problem has to be when you try to go directly to the internet 
>> over UDP so it would be at the firewall or border router.  When DNS 
>> fails, it will retry with TCP and that might be why it eventually works. 
> 
> That's not possible, because firewall only permits DNS querys over UDP ...

I'd advise following the standards.  If the response won't fit in a udp 
packet, it has to fail over to tcp.

> 
>>    Is there anything in the path to the internet that needs a lower MTU 
>> (perhaps a DNS line running PPOE)?  Or do you have jumbo packets enabled 
>> on your Gig NIC? 
> 
> No, but firewalls have a mtu configured with 1450 on external interfaces ...

Why?

>   And if you do need a small MTU, do you have firewalls
>> blocking the ICMP messages that are required to discover that automatically?
> 
> Yes, ICMP messages are blocked on firewall, but are blocked for all hosts: 
> centos dns servers, ubuntu servers, windows servers ... i don't understand why 
> using Ubuntu or windows servers to resolve names works ok and with centos (and 
> with either rhel5. I have just check it) doesn't ...

The 'dig' response might give you a hint.  But if all other network 
operations work OK, I'd still guess it is a firewall setting that you 
are missing.

-- 
   Les Mikesell
    lesmikesell at gmail.com